[BusyBox 0004184]: printf buffer overflow
bugs at busybox.net
bugs at busybox.net
Thu Jul 17 16:03:10 PDT 2008
A NOTE has been added to this issue.
======================================================================
http://busybox.net/bugs/view.php?id=4184
======================================================================
Reported By: cristic
Assigned To: BusyBox
======================================================================
Project: BusyBox
Issue ID: 4184
Category: Other
Reproducibility: always
Severity: minor
Priority: normal
Status: assigned
======================================================================
Date Submitted: 07-16-2008 17:32 PDT
Last Modified: 07-17-2008 16:03 PDT
======================================================================
Summary: printf buffer overflow
Description:
Hi, "printf %" leads to a buffer overflow, and prints random values from
the stack:
This should be rejected as in Coreutils:
$ printf %
./printf: %: invalid conversion specification
The problem is that printf does not validate the format specifier. One
possible fix would be to add a check along these lines this after line 201
in
printf.c:
direc_start = f++;
+ if (*f == '\0')
+ fprintf(stderr, "invalid conversion
specification");
direc_length = 1;
field_width = precision = -1;
if (*f == '%') {
bb_putchar('%');
break;
}
Thanks,
Cristian
======================================================================
----------------------------------------------------------------------
bernhardf - 07-17-08 01:02
----------------------------------------------------------------------
bb_error_msg_and_die("invalid conversion specification"), yes.
What tool of yours is that? Is it available somewhere? Just curious since
it sounds quite useful.. :)
----------------------------------------------------------------------
vda - 07-17-08 02:16
----------------------------------------------------------------------
Try attached patch
----------------------------------------------------------------------
vda - 07-17-08 02:16
----------------------------------------------------------------------
Careful with _and_die, ash uses printf_main directly
----------------------------------------------------------------------
cristic - 07-17-08 16:03
----------------------------------------------------------------------
> What tool of yours is that? Is it available somewhere? Just curious since
it
> sounds quite useful.. :)
Hi, it's a tool that works by exploring various execution paths through
the
program (using symbolic execution), and generating concrete test cases for
each path that it explores. The tool is still under development, but we
might open source it at some point; we'll definitely let you guys know
when
this happens.
Issue History
Date Modified Username Field Change
======================================================================
07-16-08 17:32 cristic New Issue
07-16-08 17:32 cristic Status new => assigned
07-16-08 17:32 cristic Assigned To => BusyBox
07-16-08 17:32 cristic Issue Monitored: cristic
07-17-08 01:02 bernhardf Note Added: 0009544
07-17-08 02:15 vda File Added: printf.diff
07-17-08 02:16 vda Note Added: 0009574
07-17-08 02:16 vda Note Added: 0009584
07-17-08 16:03 cristic Note Added: 0009704
======================================================================
More information about the busybox-cvs
mailing list